* [wrynose][PATCH 0/3] python3: upgrade 3.14.5 -> 3.14.6 and fix CVEs
@ 2026-07-06 11:00 Benjamin Robin (Schneider Electric)
2026-07-06 11:00 ` [wrynose][PATCH 1/3] python3: upgrade 3.14.5 -> 3.14.6 Benjamin Robin (Schneider Electric)
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Benjamin Robin (Schneider Electric) @ 2026-07-06 11:00 UTC (permalink / raw)
To: openembedded-core
Cc: olivier.benjamin, mathieu.dubois-briand, pascal.eberhard,
wahid.essid, Benjamin Robin (Schneider Electric), Peter Marko,
Richard Purdie
This series fixes the following CVEs:
- CVE-2026-11940
- CVE-2026-11972
- CVE-2026-3276
- CVE-2026-7210
- CVE-2026-7774
- CVE-2026-8328
- CVE-2026-9669
Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
---
Benjamin Robin (Schneider Electric) (2):
python3: fix CVE-2026-11940
python3: fix CVE-2026-11972
Peter Marko (1):
python3: upgrade 3.14.5 -> 3.14.6
...x-ThreadingMock-call-count-race-condition.patch | 37 ------------
.../python/python3/CVE-2026-11940.patch | 67 ++++++++++++++++++++++
.../python/python3/CVE-2026-11972.patch | 59 +++++++++++++++++++
.../{python3_3.14.5.bb => python3_3.14.6.bb} | 9 ++-
4 files changed, 130 insertions(+), 42 deletions(-)
---
base-commit: 5d1aa5c806c061a2994f4decb59016610f093213
change-id: 20260706-fix-cves-python-wrynose-076b5060a7be
Best regards,
--
Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
^ permalink raw reply [flat|nested] 4+ messages in thread
* [wrynose][PATCH 1/3] python3: upgrade 3.14.5 -> 3.14.6
2026-07-06 11:00 [wrynose][PATCH 0/3] python3: upgrade 3.14.5 -> 3.14.6 and fix CVEs Benjamin Robin (Schneider Electric)
@ 2026-07-06 11:00 ` Benjamin Robin (Schneider Electric)
2026-07-06 11:00 ` [wrynose][PATCH 2/3] python3: fix CVE-2026-11940 Benjamin Robin (Schneider Electric)
2026-07-06 11:00 ` [wrynose][PATCH 3/3] python3: fix CVE-2026-11972 Benjamin Robin (Schneider Electric)
2 siblings, 0 replies; 4+ messages in thread
From: Benjamin Robin (Schneider Electric) @ 2026-07-06 11:00 UTC (permalink / raw)
To: openembedded-core
Cc: olivier.benjamin, mathieu.dubois-briand, pascal.eberhard,
wahid.essid, Benjamin Robin (Schneider Electric), Peter Marko,
Richard Purdie
From: Peter Marko <peter.marko@siemens.com>
Release notes: [1]
Resolves following CVEs from reports:
* CVE-2026-3276
* CVE-2026-7210
* CVE-2026-7774
* CVE-2026-8328
* CVE-2026-9669
Resolves also:
* shutil.move symlink-based bypass (CVE assignment unknown)
Removed obsolete CVE_STATUS entries.
Removed patch included in this release.
[1] https://docs.python.org/3/whatsnew/changelog.html#python-3-14-6-final
[2] https://security-tracker.debian.org/tracker/CVE-2026-7210
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
...x-ThreadingMock-call-count-race-condition.patch | 37 ----------------------
.../{python3_3.14.5.bb => python3_3.14.6.bb} | 7 ++--
2 files changed, 2 insertions(+), 42 deletions(-)
diff --git a/meta/recipes-devtools/python/python3/0001-Fix-ThreadingMock-call-count-race-condition.patch b/meta/recipes-devtools/python/python3/0001-Fix-ThreadingMock-call-count-race-condition.patch
deleted file mode 100644
index aba3188a59ae..000000000000
--- a/meta/recipes-devtools/python/python3/0001-Fix-ThreadingMock-call-count-race-condition.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 388e023fe1197c1ffed374520ed45df4ac72b8f5 Mon Sep 17 00:00:00 2001
-From: Sai Sneha <saisneha196@gmail.com>
-Date: Thu, 21 May 2026 13:08:07 +0530
-Subject: [PATCH] Fix ThreadingMock call_count race condition
-
-ThreadingMock._increment_mock_call() was not thread-safe.
-Multiple threads calling the mock simultaneously could lose
-increments due to race conditions on call_count and other
-attributes.
-
-Fix by overriding _increment_mock_call in ThreadingMixin
-and wrapping it with the existing _mock_calls_events_lock.
-
-Upstream-Status: Backport [https://github.com/python/cpython/pull/150176]
-
-Signed-off-by: Sai Sneha <saisneha196@gmail.com>
----
- Lib/unittest/mock.py | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/Lib/unittest/mock.py b/Lib/unittest/mock.py
-index 16f3699e89..56cdc37942 100644
---- a/Lib/unittest/mock.py
-+++ b/Lib/unittest/mock.py
-@@ -3113,6 +3113,10 @@ def _mock_call(self, *args, **kwargs):
-
- return ret_value
-
-+ def _increment_mock_call(self, /, *args, **kwargs):
-+ with self._mock_calls_events_lock:
-+ super()._increment_mock_call(*args, **kwargs)
-+
- def wait_until_called(self, *, timeout=_timeout_unset):
- """Wait until the mock object is called.
-
---
-2.34.1
diff --git a/meta/recipes-devtools/python/python3_3.14.5.bb b/meta/recipes-devtools/python/python3_3.14.6.bb
similarity index 98%
rename from meta/recipes-devtools/python/python3_3.14.5.bb
rename to meta/recipes-devtools/python/python3_3.14.6.bb
index ed413dc1fe93..239c966065ce 100644
--- a/meta/recipes-devtools/python/python3_3.14.5.bb
+++ b/meta/recipes-devtools/python/python3_3.14.6.bb
@@ -35,13 +35,12 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
file://0001-Skip-flaky-test_default_timeout-tests.patch \
file://0001-test_only_active_thread-skip-problematic-test.patch \
file://0001-prefer-valid-entrypoints.patch \
- file://0001-Fix-ThreadingMock-call-count-race-condition.patch \
"
SRC_URI:append:class-native = " \
file://0001-Lib-sysconfig.py-use-prefix-value-from-build-configu.patch \
"
-SRC_URI[sha256sum] = "7e32597b99e5d9a39abed35de4693fa169df3e5850d4c334337ffd6a19a36db6"
+SRC_URI[sha256sum] = "143b1dddefaec3bd2e21e3b839b34a2b7fb9842272883c576420d605e9f30c63"
# exclude pre-releases for both python 2.x and 3.x
UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"
@@ -524,7 +523,5 @@ py3_sysroot_cleanup () {
rm -rf ${SYSROOT_DESTDIR}${libdir}/python${PYTHON_MAJMIN}/test
}
-CVE_STATUS[CVE-2026-4786] = "cpe-stable-backport: backported to v3.14.5"
-CVE_STATUS[CVE-2026-5713] = "cpe-stable-backport: backported to v3.14.5"
CVE_STATUS[CVE-2026-6019] = "cpe-stable-backport: backported to v3.14.5"
-CVE_STATUS[CVE-2026-6100] = "cpe-stable-backport: backported to v3.14.5"
+CVE_STATUS[CVE-2026-7210] = "cpe-stable-backport: backported to v3.14.6"
--
2.54.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [wrynose][PATCH 2/3] python3: fix CVE-2026-11940
2026-07-06 11:00 [wrynose][PATCH 0/3] python3: upgrade 3.14.5 -> 3.14.6 and fix CVEs Benjamin Robin (Schneider Electric)
2026-07-06 11:00 ` [wrynose][PATCH 1/3] python3: upgrade 3.14.5 -> 3.14.6 Benjamin Robin (Schneider Electric)
@ 2026-07-06 11:00 ` Benjamin Robin (Schneider Electric)
2026-07-06 11:00 ` [wrynose][PATCH 3/3] python3: fix CVE-2026-11972 Benjamin Robin (Schneider Electric)
2 siblings, 0 replies; 4+ messages in thread
From: Benjamin Robin (Schneider Electric) @ 2026-07-06 11:00 UTC (permalink / raw)
To: openembedded-core
Cc: olivier.benjamin, mathieu.dubois-briand, pascal.eberhard,
wahid.essid, Benjamin Robin (Schneider Electric)
tarfile.extractall() with the 'data' or 'tar' filter could be bypassed
by a crafted archive where a hardlink references a symlink stored at a
deeper name than the hardlink itself.
Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
---
.../python/python3/CVE-2026-11940.patch | 67 ++++++++++++++++++++++
meta/recipes-devtools/python/python3_3.14.6.bb | 1 +
2 files changed, 68 insertions(+)
diff --git a/meta/recipes-devtools/python/python3/CVE-2026-11940.patch b/meta/recipes-devtools/python/python3/CVE-2026-11940.patch
new file mode 100644
index 000000000000..05a5802c3965
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2026-11940.patch
@@ -0,0 +1,67 @@
+From e24b4e95524fbe8cd0f46aa3292e8040f0e07c83 Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Tue, 23 Jun 2026 15:58:47 +0200
+Subject: [PATCH 1/2] gh-151558: Fix symlink escape via `tarfile`
+ hardlink-extraction fallback (GH-151559)
+
+CVE: CVE-2026-11940
+Upstream-Status: Backport [https://github.com/python/cpython/commit/27dd970bf6b17ebca7c8ed486a40ab043ed7af8f]
+
+Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com>
+---
+ Lib/tarfile.py | 3 +++
+ Lib/test/test_tarfile.py | 24 ++++++++++++++++++++++++
+ 2 files changed, 27 insertions(+)
+
+diff --git a/Lib/tarfile.py b/Lib/tarfile.py
+index e6734db24f64..63f23490e8a1 100644
+--- a/Lib/tarfile.py
++++ b/Lib/tarfile.py
+@@ -2782,6 +2782,9 @@ def makelink_with_filter(self, tarinfo, targetpath,
+ "makelink_with_filter: if filter_function is not None, "
+ + "extraction_root must also not be None")
+ try:
++ filter_function(
++ unfiltered.replace(name=tarinfo.name, deep=False),
++ extraction_root)
+ filtered = filter_function(unfiltered, extraction_root)
+ except _FILTER_ERRORS as cause:
+ raise LinkFallbackError(tarinfo, unfiltered.name) from cause
+diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py
+index d974c7d46ec1..0fc7413be8db 100644
+--- a/Lib/test/test_tarfile.py
++++ b/Lib/test/test_tarfile.py
+@@ -4344,6 +4344,30 @@ def test_sneaky_hardlink_fallback(self):
+ self.expect_file("boom", symlink_to='../../link_here')
+ self.expect_file("c", symlink_to='b')
+
++ @symlink_test
++ def test_sneaky_hardlink_fallback_deep(self):
++ # (CVE-2026-11940)
++ with ArchiveMaker() as arc:
++ arc.add("a/b/s", symlink_to=os.path.join("..", "escape"))
++ arc.add("s", hardlink_to=os.path.join("a", "b", "s"))
++
++ with self.check_context(arc.open(), 'data'):
++ e = self.expect_exception(
++ tarfile.LinkFallbackError,
++ "link 's' would be extracted as a copy of "
++ + "'a/b/s', which was rejected")
++ self.assertIsInstance(e.__cause__,
++ tarfile.LinkOutsideDestinationError)
++
++ for filter in 'tar', 'fully_trusted':
++ with self.subTest(filter), self.check_context(arc.open(), filter):
++ if not os_helper.can_symlink():
++ self.expect_file("a/")
++ self.expect_file("a/b/")
++ else:
++ self.expect_file("a/b/s", symlink_to=os.path.join('..', 'escape'))
++ self.expect_file("s", symlink_to=os.path.join('..', 'escape'))
++
+ @symlink_test
+ def test_exfiltration_via_symlink(self):
+ # (CVE-2025-4138)
+--
+2.54.0
diff --git a/meta/recipes-devtools/python/python3_3.14.6.bb b/meta/recipes-devtools/python/python3_3.14.6.bb
index 239c966065ce..ffb7fb6e207d 100644
--- a/meta/recipes-devtools/python/python3_3.14.6.bb
+++ b/meta/recipes-devtools/python/python3_3.14.6.bb
@@ -35,6 +35,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
file://0001-Skip-flaky-test_default_timeout-tests.patch \
file://0001-test_only_active_thread-skip-problematic-test.patch \
file://0001-prefer-valid-entrypoints.patch \
+ file://CVE-2026-11940.patch \
"
SRC_URI:append:class-native = " \
file://0001-Lib-sysconfig.py-use-prefix-value-from-build-configu.patch \
--
2.54.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [wrynose][PATCH 3/3] python3: fix CVE-2026-11972
2026-07-06 11:00 [wrynose][PATCH 0/3] python3: upgrade 3.14.5 -> 3.14.6 and fix CVEs Benjamin Robin (Schneider Electric)
2026-07-06 11:00 ` [wrynose][PATCH 1/3] python3: upgrade 3.14.5 -> 3.14.6 Benjamin Robin (Schneider Electric)
2026-07-06 11:00 ` [wrynose][PATCH 2/3] python3: fix CVE-2026-11940 Benjamin Robin (Schneider Electric)
@ 2026-07-06 11:00 ` Benjamin Robin (Schneider Electric)
2 siblings, 0 replies; 4+ messages in thread
From: Benjamin Robin (Schneider Electric) @ 2026-07-06 11:00 UTC (permalink / raw)
To: openembedded-core
Cc: olivier.benjamin, mathieu.dubois-briand, pascal.eberhard,
wahid.essid, Benjamin Robin (Schneider Electric)
When using the "tarfile" module with a file opened in "streaming mode"
(mode="r|") the tarfile module did not properly handle EOF, making archive
parsing take exponentially longer.
Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
---
.../python/python3/CVE-2026-11972.patch | 59 ++++++++++++++++++++++
meta/recipes-devtools/python/python3_3.14.6.bb | 1 +
2 files changed, 60 insertions(+)
diff --git a/meta/recipes-devtools/python/python3/CVE-2026-11972.patch b/meta/recipes-devtools/python/python3/CVE-2026-11972.patch
new file mode 100644
index 000000000000..7dc9c6697112
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2026-11972.patch
@@ -0,0 +1,59 @@
+From 2d256d4bfd654bdcaf2d96733799be73b8ff8f69 Mon Sep 17 00:00:00 2001
+From: Petr Viktorin <encukou@gmail.com>
+Date: Tue, 23 Jun 2026 15:13:30 +0200
+Subject: [PATCH 2/2] gh-151981: Make tarfile._Stream.seek break at EOF
+ (GH-151982)
+
+CVE: CVE-2026-11972
+Upstream-Status: Backport [https://github.com/python/cpython/commit/f50bf13566189c8d0ce5a814f33eff3d89951896]
+
+Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com>
+---
+ Lib/tarfile.py | 4 +++-
+ Lib/test/test_tarfile.py | 16 ++++++++++++++++
+ 2 files changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/Lib/tarfile.py b/Lib/tarfile.py
+index 63f23490e8a1..399f906efdff 100644
+--- a/Lib/tarfile.py
++++ b/Lib/tarfile.py
+@@ -524,7 +524,9 @@ def seek(self, pos=0):
+ if pos - self.pos >= 0:
+ blocks, remainder = divmod(pos - self.pos, self.bufsize)
+ for i in range(blocks):
+- self.read(self.bufsize)
++ data = self.read(self.bufsize)
++ if not data:
++ break
+ self.read(remainder)
+ else:
+ raise StreamError("seeking backwards is not allowed")
+diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py
+index 0fc7413be8db..045377d620cc 100644
+--- a/Lib/test/test_tarfile.py
++++ b/Lib/test/test_tarfile.py
+@@ -4786,6 +4786,22 @@ def valueerror_filter(tarinfo, path):
+ with self.check_context(arc.open(errorlevel='boo!'), filtererror_filter):
+ self.expect_exception(TypeError) # errorlevel is not int
+
++ @support.subTests('format', [tarfile.GNU_FORMAT, tarfile.PAX_FORMAT])
++ def test_getmembers_big_size(self, format):
++ # gh-151981: A loop in seek() for streaming files tried to read the
++ # declared number of blocks even at EOF
++ tinfo = tarfile.TarInfo("huge-file")
++ tinfo.size = 1 << 64
++ bio = io.BytesIO()
++ # Write header without data
++ bio.write(tinfo.tobuf(format))
++
++ # Reset & try to get contents
++ bio.seek(0)
++ with tarfile.open(fileobj=bio, mode="r|") as tar:
++ with self.assertRaises(tarfile.ReadError):
++ tar.getmembers()
++
+
+ class OverwriteTests(archiver_tests.OverwriteTests, unittest.TestCase):
+ testdir = os.path.join(TEMPDIR, "testoverwrite")
+--
+2.54.0
diff --git a/meta/recipes-devtools/python/python3_3.14.6.bb b/meta/recipes-devtools/python/python3_3.14.6.bb
index ffb7fb6e207d..ec1fd7156bd9 100644
--- a/meta/recipes-devtools/python/python3_3.14.6.bb
+++ b/meta/recipes-devtools/python/python3_3.14.6.bb
@@ -36,6 +36,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
file://0001-test_only_active_thread-skip-problematic-test.patch \
file://0001-prefer-valid-entrypoints.patch \
file://CVE-2026-11940.patch \
+ file://CVE-2026-11972.patch \
"
SRC_URI:append:class-native = " \
file://0001-Lib-sysconfig.py-use-prefix-value-from-build-configu.patch \
--
2.54.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-07-06 11:00 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-06 11:00 [wrynose][PATCH 0/3] python3: upgrade 3.14.5 -> 3.14.6 and fix CVEs Benjamin Robin (Schneider Electric)
2026-07-06 11:00 ` [wrynose][PATCH 1/3] python3: upgrade 3.14.5 -> 3.14.6 Benjamin Robin (Schneider Electric)
2026-07-06 11:00 ` [wrynose][PATCH 2/3] python3: fix CVE-2026-11940 Benjamin Robin (Schneider Electric)
2026-07-06 11:00 ` [wrynose][PATCH 3/3] python3: fix CVE-2026-11972 Benjamin Robin (Schneider Electric)
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.